- Using JSON Web Tokens (JWT) with OAuth2 is a lightweight solution for microservices to authenticate and make authorization decisions without affecting payload size. JWT tokens are created by OAuth2 servers like PCF UAA and sent in HTTP authorization headers. Frameworks like Spring Security make it easy for apps to work with OAuth2.
- Scopes in JWTs are used for role-based access control, with the user, client, and user consent determining which scopes a token can contain. An identity provider maps groups to scopes.
- The Universal Identity Service Broker can help demonstrate end-to-end cloud native identity services on PCF.
2. Reduce Risk in Your App
Portfolio
● Keep critical systems at 100%
patch levels
● Automate the path to
production
PRACTICES PRACTICES PRACTICES
Running Secure Microservices on PCF by Default
Make the Secure Thing,
the Easy Thing
● “Secure by default”
● Immutable infrastructure
● Automate dependency
management
Keep Up with Industry
Regulations & Auditors
● Embedded OS
● Inherited controls
● Use existing IdM policies
4. Security: Providing Authorization Support to Microservices
Every microservice should be able to easily authenticate, and make authorization decisions.
5. Use JWT with OAuth2
JSON Web Token (JWT) is a protocol independent, JSON-based token that can be
passed in HTTP authorization headers.
This is a lightweight solution that doesn’t affect the payload size. It’s also language
independent.
The JWT tokens are created by any OAuth2/OpenId Connect Server implementation.
PCF’s UAA Server is an example of one such OAuth2 provider. The token is sent in the
‘Authorization’ HTTP header attribute along with HTTP request.
Frameworks like Spring Security make it easy for Spring Boot apps to work with
OAuth2 server implementations to create and authenticate JWT tokens.
6. JWT typically looks like
Scopes for Role Based Access Control
User allowed to have scope (UAA group)
Client allowed to have scope (client config)
User consented client can use scope (to prevent
malicious apps) - auto-approve skips this
Intersection of all the previous scenarios
IDP maps “Groups” to menu.* , order.*
User has “Group”: menu.read, order.admin, order.me
Client: menu.read, order.me
User consents to todo.read
Token only has todo.read
14. Cloud-Native Enterprise Security
Repair
Repair vulnerable software
(CVEs) as soon as updates
are available.
Repave
Repave servers and
applications from a known
good state. Do this often.
Rotate
Rotate user credentials
frequently, so they are only
useful for short periods of time.
16. Leaking Credentials is Easy
Unable to identify sophisticated
phishing email ~ Intel
97%
1.5MM
New phishing sites created each
month ~ WebRoot
95%
Successful enterprise attacks result of
spear phishing ~ SANS Institute
& Expensive
55%
Use same password across several accounts
~ Gemalto [Data Breaches & Customer Loyalty]
$3.86 MM
Average cost of a data breach
~ IBM Security Research